Snort mailing list archives
Re: Multiple signatures 024
From: Matthew Mickel <mmickel () sourcefire com>
Date: Thu, 7 Mar 2019 07:46:29 -0500
Hi, Yaser- Thanks for your submissions. We will test these and get back to you when we have finished. We would appreciate any relevant PCAPs that you have. Best, Matt Mickel
On Mar 6, 2019, at 12:21 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, On the previous post, I may have misidentified AveMaria as PlugX. Not sure how I came up with that. I apologize for any inconvenience this may have caused. Anyway, here is a new set of signatures, most of which have accompanying Yara and ClamAV signatures. Thank you. YM # -------------------- # Title: Win.Trojan.TheRat # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_TheRat_Variant_1 # - MALWARE_Win_Trojan_TheRat_Variant_2 # - INDICATOR_Image_Embedding_Archive # ClamAV: # - MALWARE_Win.Trojan.TheRat-Variant-1 # - MALWARE_Win.Trojan.TheRat-Variant-2 # - INDICATOR_Image_Embedding_Archive # Hashes: # - 46cc296583d7ae1f6bdbe7a3f8d1c66f04a10a8fbc502b42e0b7eb15c3c0cad1 # - 484fb2977715262b2b6ded712c5846f10f6fb9594d9a61fb4488db88c102657c # - 5ffcfe54e04748367dfc2bdaeab33fe80070d9b62b7032cac6e1def28cf67210 # - 90426ca0a5d0fad4bfbfef999b80577c3f592a247e29eb170490e20510076156 # - a21b719d48905fd06b2281a4a47bfa8605e895e1ad7812963d249f87368c42de # - c301e722f409f0d5dd1c252c346f29a7f12a875e633c41216c1f88841854f68a # - d85029c633e6705608b24bcd31c6c4ef23ce41a72238b7e19c190fed9d77b8b3 # - e0d0c5522eb9ff996ae422573e95ba43a29ff9dc70adc616440fc720146bf878 # Note: # - NullSoft and Inno packed binaries. # - Images embedding archives extracted. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TheRat variant outbound connection attempt"; flow:to_server,established; content:"/update.php?id="; fast_pattern:only; http_uri; content:"&stat="; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 5.1)|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:attempted-user; sid:8000544; rev:1;) # -------------------- # Title: PlugX DNS Tunneling # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_PlugX_DLL # ClamAV: # - MALWARE_Win.Trojan.PlugX_DLL # Hashes: # - Initial Sample: # - a3c66c8e929f582368e105c0ecedb0ead346494e9a14cf7e7d88f163049ce7f9 (RAR Archive) # - bd8e56950c0c5878b298f97de2051c12d3c5714b6d01eb75b86797dc82732bbd (DLL) # - Triage: # - 9032a1644f525baaafa5199edf29fb18c71a8c221264c2890e1ec475138fc317 (RAR Archive) # - 76b5bf13ba685211cf28f339dc18d691830f7006dd6630c2c6e80f18006cdb9e (DLL) # - ece271ee20d3113b08862a1424f9d359a42270fbb3b2cdb9ccba6601248b0a7d (DLL) # - e39e021c1867acf6e4af9f55756c30b5f2bf5e914c0960f4a2035d758966fb55 (RAR Archive) # - 3fd178fbdf6b07a1f18c1b5749937db2cdf39b6e630fd1511409fb2c4d52e6ef (DLL) # - bf423809330c5bf93bdf184075c2a0babcfa6fcda4f14a101e094c7b17677300 (RAR Archive) # - a555193380d8c3c25a649e2393fb1366e9a5ac94a86a409eddc6f452474f986e (DLL) # - 39c4b2371192a4365b8366e047355ba75fff6f78140dcac5f16306f6f50830cb (RAR Archive) # - 507beb609fd324130d378b09f1c2bba147830a11e0e2d2447e8272cefe76e482 (DLL) # Note: # - Signature 3:30881 is sufficient for detection but not # enabled by default, and maybe bound to FPs. # - Initial Sample was first observed 2017, but was not publicly available # until recently. alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.PlugX dns tunneling outbound connection attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 3F|"; offset:2; depth:11; fast_pattern; content:"|3F|"; distance:63; byte_jump:0, 0, from_end, post_offset -5; content:"|00 10 00 01|"; distance:0; within:5; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000545; rev:1;) # -------------------- # Title: Suspected Molerats New Attack in the Middle East # Reference: https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/ <https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/> # Tests: pcaps # Yara: # - INDICATOR_Suspicous_Binary_Packed # - INDICATOR_Base64_Binary__Packed # ClamAV: # - INDICATOR_Suspicous_Binary_Packed # - INDICATOR_Base64_Binary_Packed # Hashes: # Note: # - Instead of a PCRE to match client body character set # we look for the absense of a typical '=' in HTTP form. # - Updated exisitng singature: INDICATOR_Win_Binary_Many_Builtin_Executables # for ClamAV and Yara. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Molerats variant outbound connection"; flow:to_server,established; urilen:1; content:"from: user"; http_header; content:"connection: close"; http_header; content:"user-agent"; http_header; content:!"="; depth:30; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000546; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Enigma packer executable file download detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; flowbits:isset,file.exe; file_data; content:".enigma1"; content:".enigma2"; distance:32; metadata:ruleset communication, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:8000547; rev:1;) # -------------------- # Title: CVE-2018-20377 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20377 <https://nvd.nist.gov/vuln/detail/CVE-2018-20377> # Tests: # Yara: NA # ClamAV: NA # Hashes: NA alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Orange LiveBox privilage escalation attemp"; flow:to_server,established; urilen:23; content:"/get_getnetworkconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000548; rev:1;) # -------------------- # Title: GreyEnergy’s overlap with Zebrocy # Reference: https://securelist.com/greyenergys-overlap-with-zebrocy/89506/ <https://securelist.com/greyenergys-overlap-with-zebrocy/89506/> # Tests: # Yara: NA # ClamAV: NA # Hashes: NA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection attempt"; flow:to_server,established; content:"/help-desk/remote-assistant-service/PostId"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000549; rev:1;) # -------------------- # Title: Zipped JS > PowerShell > GandCrab v5.2 # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_JS_Downloader_Variant_1 # - MALWARE_Win_JS_Downloader_Variant_2 # - INDICATOR_JS_Obfuscation_Patterns # ClamAV: # - Email.Trojan.ScriptDownloader (.cdb) # - MALWARE_Win_JS_Downloader_Variant_1 # - MALWARE_Win_JS_Downloader_Variant_2 # Hashes: List is too long to be shared here. # Notes: # - HTTPS connections go to: hxxps://www[.]kakaocorp[.]link/includes/imgs/kaimhe.bmp <hxxps://www[.]kakaocorp[.]link/includes/imgs/kaimhe.bmp> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.JS downloader outbound connection attempt"; flow:to_server,established; urilen:<20; content:"User-Agent: Windows|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000550; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS request to known malicious domain - GandCrab Ransomware"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kakaocorp|04|link"; fast_pattern:only; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000551; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware GandCrab variant certificate exchange"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 13 0E|kakaocorp.link <http://kakaocorp.link/>"; fast_pattern:only; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000552; rev:2;) # -------------------- # Title: EdgeSpot detects PDF samples tracking users who use Google Chrome as local PDF viewer # Reference: https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html <https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html> # Tests: pcaps # Yara: # - MALWARE_Pdf_Trojan_Ticanoti_Variant_1 # - MALWARE_Pdf_Trojan_Ticanoti_Variant_2 # - MALWARE_Pdf_Trojan_Ticanoti_Variant_3 # ClamAV: # - Pdf.Trojan.Ticanoti-Variant-1 # - Pdf.Trojan.Ticanoti-Variant-2 # - Pdf.Trojan.Ticanoti-Variant-3 # Hashes: # - 0cc1234c981806dd22e0e98e4be002e8df8d285b055e7f891ff8e91af59aee1e # - 2dd6ade4d0d4dc8224b28f8819b1c49bb7ae4025933e737ac8069c496d88bb43 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information leak detected"; flow:to_server,established; content:"/nocache/"; http_uri; content:"?page="; http_uri; fast_pattern:only; content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000553; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Pdf.Trojan.Ticanoti outbound information leak detected"; flow:to_server,established; content:"//mhjfbmdgcfjbbpaeojofohoefgiehjai|0D 0A|"; fast_pattern:only; http_header; http_header; content:"<</F<</F(file////"; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000554; rev:1;) # -------------------- # Title: HawkEye / iSpy # Reference: Research # Tests: pcaps # Yara: # - INDICATOR_Win_DotNet_Packed # ClamAV: # - INDICATOR_Win_DotNet_Packed # Hashes: # - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388 # - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54 # - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc # - 3124000b9f0e4422ad5c153ea6c0b12e6740bb0672de53807b47b3fb1d96b9d1 # - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1 # - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b # - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a # - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e # - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d # - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4 # - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6 # - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0 # - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66 # - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb # Notes: # - SID 8000512 from a previous sigs post is valid in this context. alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger "; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000555; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection attempt"; flow:to_server,established; content:"- Passwords Logs -"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000556; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye/iSpy outbound connection attempt"; flow:to_server,established; content:"- Keyboard Logs -"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000557; rev:1;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 024 Y M via Snort-sigs (Mar 06)
- Re: Multiple signatures 024 Matthew Mickel (Mar 07)